TCP.Data.On.SYN
Description
This indicates detection of a TCP SYN packet that contains data.
According to the TCP standard, there is only one case wherein a correct implementation of TCP/IP stack can accept a data packet with no ACK flag set --- the initial connection-soliciting SYN packet can contain data, but must not have the ACK flag set. In any other case, a data packet not bearing the ACK flag should be discarded.
Some vulnerable systems may accept data segments that do not have the ACK flag set, and as a result, allow attackers to bypass the TCP handshake procedures by prematurely closing it with a FIN packet. In the process of doing this, data will be delivered to the listening system without proper sequence number verification. An attacker can use this method to spoof a TCP transaction.
Affected Products
Systems, especially many Linux systems, connected to the Internet are vulnerable to the attack.
Impact
This is a protocol which run anomaly. Attackers can successfully bypass firewalls and attack a vulnerable system.
Recommended Actions
If a SYN packet contains abnormal data, you can select "Block" as the default action for this signature.
Telemetry
Coverage
IPS (Regular DB) | |
IPS (Extended DB) |